I considered just giving up – but, I’ll be damned if I will. I take every precaution I can to guard against the invasive parasitic practices of data collectors who are persistent in their attempts to collect “anonymous” data on my personal browsing habits. But, it’s never enough.

Despite my precautions – despite the tools I use in an attempt to respond to the insidious nature of web tracking – I find myself fighting a constant rear guard action. No sooner do I reach a plateau from which I can exert a functional level of control over the “behind closed doors nature” of Internet tracking – than I’m forced to deal with an even more insidious method of personal data collection.

Let’s spin back for a moment, to the time when the so called LSO (Flash Cookie) was introduced as a response to users gaining control over standard HTTP cookies. Control which allowed for the acceptance, the rejection, and the wiping of private data – including wiping cookies.

The Flash Cookie changed all that. By design, a Flash Cookie (Super Cookie)remains active on a system even after the user has cleared cookies and privacy settings. BetterPrivacy – a free Firefox add-on, stepped into the battle to address this issue, and gave users an opportunity to identify, and delete, Super Cookies.

When a Tracking Cookie is not obvious to a casual Internet user and, when that cookie cannot be deleted without the aid of a specialty cleaner, then Internet tracking has been taken to a level that borders on deception. Hell, let’s call it what it really is – crooked, immoral, fraudulent, illegal, ……..

When I first wrote on Super Cookies in September 2009, I made the following comment –

“……….with little resistance being offered by the “sheeple”, and a failure by regulatory authorities to enact appropriate consumer protection laws, we can expect privacy intrusions , like this, to accelerate.”

It’s hardly surprising then, that we are now faced with the Evercookie (HTML5 Cookies)

From Wikipedia:

An Evercookie is not merely difficult to delete. It actively “resists” deletion by copying itself in different forms on the user’s machine and resurrecting itself if it notices that some of the copies are missing or expired. Specifically, when creating a new cookie, Evercookie uses the following storage mechanisms when available:

Standard HTTP cookies

Local Shared Objects (Flash cookies)

Silverlight Isolated Storage

Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out

Storing cookies in Web history

Storing cookies in HTTP ETags

Storing cookies in Web cache

window.name caching

Internet Explorer userData storage

HTML5 Session Storage

HTML5 Local Storage

HTML5 Global Storage

HTML5 Database Storage via SQLite

Hold on – there’s more:

The developer is looking to add the following features:

Caching in HTTP Authentication

Using Java to produce a unique key based on NIC information.

We’re not quite finished.

With this tool it is possible to have persistent identification of a specific computer, and since it is specific to an account on that computer, it links the data to an individual. It is conceivable this tool could be used to track a user and the different cookies associated with that user’s identifying data without the user’s consent. The tool has a great deal of potential to undermine browsing privacy.

I don’t know what your definition of hacking, or illegal access encompasses – but, in my view, the placement of an Evercookie steps over the line into the realm of cybercrime. I suggest to you, that if a government were to penetrate a user system to plant an Evercookie as a matter of course – the outrage would be immediate. But, private enterprise does it – and the “sheeple” happily bow to what they consider the inevitable.

The tracking industry (a multi-Billion dollar industry), has gone too far on this one. I predict the litigation lawyers, and privacy advocates, will run out the big guns in a justifiable attempt to eradicate this spyware.

Personally, I believe that criminal charges should be laid against the executives of those organizations currently using Evercookie. I see no difference between these yahoos, and Russian cybercriminals.

Additional statistics on which web sites are currently using Evercookies can be had by reading an eye opening article by one of my favorite Tech writers Ed Bott – here.

In the meantime, you might consider installing BleachBit – an open source application which will delete Evercookies from your system.

In the following screen capture I have focused on a Firefox cleanup – including wiping HTML5 cookies.

In this screen capture the focus is on deleting Flash cookies ((Super Cookies).

Lets take a look at a preview of what’s going to be deleted -

Choosing the same parameters using CCleaner (a Flash and Firefox cleanup), leads to a considerable difference.

Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster.

30 responses to “Open Source BleachBit 0.9.3 – Deletes HTML5 Cookies”

Wow, once again Bill YOU DELIVER! Just installed and ran it for the first time. It works very well, along with being partnered with CC Cleaner. A most welcome addition to my never ending fight against personal privacy and invasion from the Private Sector. Thanks for doing the research on this.
Don

It’s a cliche to say the enterprise has no conscience – still, if there was ever a situation that lends some truth to the cliche, the use of Evercookies qualifies, I think. It’s simply malware in disguise.

Bill, thanks, you’re energy and candor on this subject is refreshing and motivating. And, I might ad, you’re spot on when you state that these evercookies are a form of cyber crime. Sheeples…I love it!
Best,
Paul

Hi Bill,
I think these people sit up at night thinking of new ways to be evil. Thanks to guys like you, we might be able to stay just far enough in front of them that we don’t get taken in by it all. My dad always says, You want to know about something, “Follow The Money”

The sad part is, there are alot of sheeple that don’t care enough to do anything about it for their own protection, but that’s a story for another rant.

Thanks for bringing up bleachbit, I actually have it installed through portable apps because the less programs I have installed on C drive, the better.

This is a fantastic recommendation once again! I’ve never stuck to using a single cleaning program and have installed several products along with a heavily modified hosts file. They don’t always remove all of the junk and I regularly find myself having to add custom files to wipe to Ccleaner’s custom settings and have had to resort to manual registry cleaning at times.

I’ve just run Bleachbit and removed 235Mb of files!

Most people don’t seem too concerned about cookies for some strange reason. Currently I’ve been attempting to get my CEO to make our three company websites compliant with the European Cookie Law but non compliance is not seen as an important issue either by the CEO or other staff members. I will be sending them a link to your post!

Hey Bill,
Recently I noticed that when I visited Youtube in Firefox, with NoScript enabled and the Flash plugin disabled, that videos still played. The reason: HTML5 cookies.
I was wondering what the ramifications of all this were. Now I know, thanks to you. Another fantastic find by you. Thankyou, I appreciate it.
Cheers

I’m very glad to get your comment. The scenario you describe is what one would expect following a malware infection. In other words, you have lost control of your machine due to the placement of an object, or series of objects, that you didn’t ask for – are/were unaware of the placement – and, have no easy method to locate and delete.

The tracking industry can sex it up by calling it whatever they like – Evercookie – the road to Nirvana – whatever. In my book, if it walks like a Duck and quacks like a Duck – it’s a goddamn Duck. And, this Duck is spyware.

As you and I both know, one of the saving graces of technology is – someone will always find a way to beat the bastards (government or enterprise) at their own game. At least for the moment, BleachBit seems to be a solution to this latest attack on our personal privacy.

Hey Bill,
Yep, it certainly had me concerned til I found the reason for it, and it pissed me off too. Just when I think I am on top of things, we have a new threat to deal with.
A quick question: I notice that HTML5 cookies are only cleaned through Firefox. What are we to do with other browsers that we use? For instance, I use Comodo Dragon to play an online game I am addicted to. Just a thought I had when running BleachBit.
Cheers

We had a sort of “round table” discussion on this last night, over a few jars of course :) – and the consensus was that we all have a lot to learn on this issue. In fact, some members had never heard of this problem.

I think the best advice I can give you is this – when playing your game run Comodo in a sandbox application. Hopefully (and, I do mean hopefully), this will take care of the problem. I’m going to spend a few days on this so I may have a better solution soon.

Bill is like a Knight with his sword taking on the dragon.
The Dragon has all the power, all the unscrupulousness, yet, to date, the Knight finds ways to defeat the dragon, even if just for a time.
Thanks Bill…

I have the same problem when using alternative search engines – I always think I’m missing something. Of course I’m not, since many alternative SEs rely on Google to begin with – but still….

It’s interesting, that all of the readers who have commented on this article are either high level users, or IT Pros. I suppose that one needs the background to understand the kind of evil we’re dealing with here.

It’s not often that I worry about the neighbours having to put up with my laughter. I’m sure though, that I could be heard down the street and around the corner this morning. A hedgehog crap, indeed. lol

I now feel fully educated about evercookies thanks to you. I use a few other browsers other than the ones that BleachBit is capable of cleaning so I decided to check for evercookies. SlimBoat (portable version) had evercookies present in a couple of locations and I confirmed this by running the test here using SlimBoat and several different user agents:

I usually check the Options/Settings/Preferences of my browser after an upgrade to make sure I haven’t lost any settings and to see what’s new. I remember when I saw an option to allow HTML5 to use local storage (and a sub-option to delete any files on close) I refused to allow any local storage. I did that for the same reason I used to have my flash storage set to zero – I didn’t know what all the storage would be used for, and if it’s optional then it’s clearly not needed for the technology to work. I eventually wound up enabling local flash storage (some sites wouldn’t work without it enabled) once I got the NirSoft program that deleted LSO’s, and I used a program that sat in the tray and let me turn the flash bit on and off so I wouldn’t get cookies when I was just surfing, only when I actually wanted to see some particular flash content. My current most-used browser allows me to click on specific flash objects if I want to allow them. What a pain this all is (how inconvenient!), and here’s the kicker – just a few days ago, thanks to a link in your Tech Thoughts, I was reading about a tracking company trade group CEO telling Senators he thought the industry was doing a good job of policing itself and legislation wasn’t needed to control tracking, or protect privacy.

When mechanical gadgets first started being made it was for convenience – to benefit us by freeing up time for other things. Now, in the information age, the CON part of convenience seems to be prevalent. Corporations know we’ll make poor decisions and put convenience above things like privacy, nutrition, financial well-being, etc. Too often a gadget or technological breakthrough is a mere piece of cheese, luring the consumer into a trap – the worst kind of trap: one which they never realize they’re in. Are we mice now, destined to live our lives running around the mazes they create for us?

I’m reminded more and more of the opening of the TV series The Prisoner where Patrick McGoohan yells out, “I am not a number, I am a free man!” More and more there’s times when I feel like grabbing a CEO’s lapels and yelling, “I am not a consumer, I am a free man!” Think the message would get through?

I could not have said that any better. Well thought out and convincing.

Occasionally, a readers comment strikes such a note with me that I’ll take that comment and post it as a stand alone article. Your comment is a perfect example. I’m just now in the process of posting this as an article.

I am a senior that read about zombie cookies be used by web companies like bluecava.com a couple years back and of course forgot. If I was to use Bleach, how do I securely use it as to not destroy my win32 etc.?

It’s unlikely that an application like this would “destroy” an OS. However, should a user not carefully choose the items to be cleaned, it’s possible that user set application configurations can be changed. For example, when I first tested this app, I inadvertently wiped out my Firefox configuration and had to reinstall a backup. As well, since I wasn’t paying full attention, I wiped out Word’s recently opened Docs. Not a big deal, but annoying nevertheless.

Two things to keep in mind:

Use the developer’s help files to familiarize yourself with the settings you feel comfortable with.

Prior to running the app create a restore point so that you have a fallback in the event the cleaning process has been too ambitious.

Best,

Bill

Follow Tech Thoughts via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Blogroll

Chicago Mac/PC Support
I have twenty five years experience and Apple Certified Technician and Microsoft Certified System Administrator (MCSA). It is my goal to help others by providing this free information.

Confessions of a Pop Culture Addict
Sam Tweedle is a writer and pop culture addict who has been entertaining and educating fans of the pop culture journey for a decade. His writing has been featured in The National Post, CNN.com, and Filmfax magazine.

Digsites – An Interactive Agency
Digsites is a Philadelphia based interactive and internet development company founded in 2005. Our primary focus is set on providing personalized client solutions including Lead Generation Software, Websites, Web Services, Intranets, Social Networks Integ

FindTheBest
FindTheBest is an unbiased, fact-driven decision engine. We organize and present data in a consumer-friendly format so that you can make quick and informed decisions based on what’s important to you.

Guru Habits
You will find an abundance of articles and other resources on this site to help you achieve your personal development goals in many areas of your life. If you are looking for deep discussions on complex psychological theories, you’ll need to look elsew

Kensington SafeZone
This blog is all about physical security, and if you’re an IT Manager or SMB owner, this is the perfect reference for you. Here, you can find commentary on the latest industry news, security best practices and links to our various smart made simple™ s

Malware Removal Guide for Windows
This guide will help you clean your computer of malware. If you think your computer is infected with a virus or some other malicious software, you may want to use this guide.

Stop Badware.org
StopBadware is the only not for profit organization focused on protecting the public from badware websites. From our start as a project of the Berkman Center for Internet & Society at Harvard University, we have been led by top thinkers in the fields

TuneUp (Blog about Windows)
Our blog is written by a team made up of certified Microsoft experts, authors, and editors from major computer magazines. The people behind this blog also head up one of the most successful tuning suites around, called TuneUp Utilities 2011.

Why Evolution Is True
Jerry A. Coyne, Ph.D is a Professor in the Department of Ecology and Evolution at the University of Chicago and a member of both the Committee on Genetics and the Committee on Evolutionary Biology.